Commit 3ca48414 by Robbert Krebbers

### Merge branch 'master' of gitlab.mpi-sws.org:FP/iris-coq

parents d71cbe0f 04d3ee68
 ... ... @@ -2,6 +2,7 @@ \subsection{COFE} This definition varies slightly from the original one in~\cite{catlogic}. \begin{defn}[Chain] Given some set $\cofe$ and an indexed family $({\nequiv{n}} \subseteq \cofe \times \cofe)_{n \in \mathbb{N}}$ of equivalence relations, a \emph{chain} is a function $c : \mathbb{N} \to \cofe$ such that $\All n, m. n \leq m \Ra c (m) \nequiv{n} c (n)$. \end{defn} ... ... @@ -22,6 +23,8 @@ An element $x \in \cofe$ of a COFE is called \emph{discrete} if $\All y \in \cofe. x \nequiv{0} y \Ra x = y$ A COFE $A$ is called \emph{discrete} if all its elements are discrete. For a set $X$, we write $\Delta X$ for the discrete COFE with $x \nequiv{n} x' \eqdef x = x'$ \end{defn} \begin{defn} ... ... @@ -30,6 +33,7 @@ It is \emph{contractive} if $\All n, x \in \cofe, y \in \cofe. (\All m < n. x \nequiv{m} y) \Ra f(x) \nequiv{n} f(x)$ \end{defn} The reason that contractive functions are interesting is that for every contractive $f : \cofe \to \cofe$ with $\cofe$ inhabited, there exists a fixed-point $\fix(f)$ such that $\fix(f) = f(\fix(f))$. \begin{defn} The category $\COFEs$ consists of COFEs as objects, and non-expansive functions as arrows. ... ... @@ -52,7 +56,31 @@ Note that the composition of non-expansive (bi)functors is non-expansive, and th \subsection{RA} \ralf{Copy this from the paper, when that one is more polished.} \begin{defn} A \emph{resource algebra} (RA) is a tuple \\ $(\monoid, \mval \subseteq \monoid, \mcore{-}: \monoid \to \monoid, (\mtimes) : \monoid \times \monoid \to \monoid)$ satisfying \begin{align*} \All \melt, \meltB, \meltC.& (\melt \mtimes \meltB) \mtimes \meltC = \melt \mtimes (\meltB \mtimes \meltC) \tagH{ra-assoc} \\ \All \melt, \meltB.& \melt \mtimes \meltB = \meltB \mtimes \melt \tagH{ra-comm} \\ \All \melt.& \mcore\melt \mtimes \melt = \melt \tagH{ra-core-id} \\ \All \melt.& \mcore{\mcore\melt} = \mcore\melt \tagH{ra-core-idem} \\ \All \melt, \meltB.& \melt \mincl \meltB \Ra \mcore\melt \mincl \mcore\meltB \tagH{ra-core-mono} \\ \All \melt, \meltB.& (\melt \mtimes \meltB) \in \mval \Ra \melt \in \mval \tagH{ra-valid-op} \\ \text{where}\qquad %\qquad\\ \melt \mincl \meltB \eqdef{}& \Exists \meltC. \meltB = \melt \mtimes \meltC \tagH{ra-incl} \end{align*} \end{defn} \begin{defn} It is possible to do a \emph{frame-preserving update} from $\melt \in \monoid$ to $\meltsB \subseteq \monoid$, written $\melt \mupd \meltsB$, if $\All \melt_\f. \melt \mtimes \melt_\f \in \mval \Ra \Exists \meltB \in \meltsB. \meltB \mtimes \melt_\f \in \mval$ We further define $\melt \mupd \meltB \eqdef \melt \mupd \set\meltB$. \end{defn} \ralf{Copy the explanation from the paper, when that one is more polished.} \subsection{CMRA} ... ... @@ -70,7 +98,8 @@ Note that the composition of non-expansive (bi)functors is non-expansive, and th \All n, \melt, \meltB_1, \meltB_2.& \omit\rlap{$\melt \in \mval_n \land \melt \nequiv{n} \meltB_1 \mtimes \meltB_2 \Ra {}$} \\ &\Exists \meltC_1, \meltC_2. \melt = \meltC_1 \mtimes \meltC_2 \land \meltC_1 \nequiv{n} \meltB_1 \land \meltC_2 \nequiv{n} \meltB_2 \tagH{cmra-extend} \\ \text{where}\qquad\qquad\\ \melt \mincl \meltB \eqdef{}& \Exists \meltC. \meltB = \melt \mtimes \meltC \tagH{cmra-incl} \melt \mincl \meltB \eqdef{}& \Exists \meltC. \meltB = \melt \mtimes \meltC \tagH{cmra-incl}\\ \melt \mincl[n] \meltB \eqdef{}& \Exists \meltC. \meltB \nequiv{n} \melt \mtimes \meltC \tagH{cmra-inclN} \end{align*} \end{defn} ... ... @@ -117,7 +146,7 @@ This operation is needed to prove that $\later$ commutes with existential quanti \begin{defn} It is possible to do a \emph{frame-preserving update} from $\melt \in \monoid$ to $\meltsB \subseteq \monoid$, written $\melt \mupd \meltsB$, if $\All n, \melt_f. \melt \mtimes \melt_f \in \mval_n \Ra \Exists \meltB \in \meltsB. \meltB \mtimes \melt_f \in \mval_n$ $\All n, \melt_\f. \melt \mtimes \melt_\f \in \mval_n \Ra \Exists \meltB \in \meltsB. \meltB \mtimes \melt_\f \in \mval_n$ We further define $\melt \mupd \meltB \eqdef \melt \mupd \set\meltB$. \end{defn} ... ...
This diff is collapsed.
 ... ... @@ -205,9 +205,64 @@ The following rules can be derived for Hoare triples. \end{mathparpagebreakable} \paragraph{Lifting of operational semantics.} We can derive some specialized forms of the lifting axioms for the operational semantics, as well as some forms that involve view shifts and Hoare triples. We can derive some specialized forms of the lifting axioms for the operational semantics. \begin{mathparpagebreakable} \infer[wp-lift-atomic-step] {\atomic(\expr_1) \and \red(\expr_1, \state_1) \and \All \expr_2, \state_2, \expr_\f. \expr_1,\state_1 \step \expr_2,\state_2,\expr_\f \Ra \pred(\expr_2,\state_2,\expr_\f)} {\later\ownPhys{\state_1} * \later\All \val_2, \state_2, \expr_\f. \pred(\ofval(\val), \state_2, \expr_\f) \land \ownPhys{\state_2} \wand \prop[\val_2/\var] * \wpre{\expr_\f}[\top]{\Ret\any.\TRUE} \proves \wpre{\expr_1}[\mask_1]{\Ret\var.\prop}} \infer[wp-lift-atomic-det-step] {\atomic(\expr_1) \and \red(\expr_1, \state_1) \and \All \expr'_2, \state'_2, \expr_\f'. \expr_1,\state_1 \step \expr_2,\state_2,\expr_\f \Ra \state_2 = \state_2' \land \toval(\expr_2') = \val_2 \land \expr_\f = \expr_\f'} {\later\ownPhys{\state_1} * \later(\ownPhys{\state_2} \wand \prop[\val_2/\var] * \wpre{\expr_\f}[\top]{\Ret\any.\TRUE}) \proves \wpre{\expr_1}[\mask_1]{\Ret\var.\prop}} \infer[wp-lift-pure-det-step] {\toval(\expr_1) = \bot \and \All \state_1. \red(\expr_1, \state_1) \and \All \state_1, \expr_2', \state_2, \expr_\f'. \expr_1,\state_1 \step \expr_2,\state_2,\expr_\f \Ra \state_1 = \state_2 \land \expr_2 = \expr_2' \land \expr_\f = \expr_\f'} {\later ( \wpre{\expr_2}[\mask_1]{\Ret\var.\prop} * \wpre{\expr_\f}[\top]{\Ret\any.\TRUE}) \proves \wpre{\expr_1}[\mask_1]{\Ret\var.\prop}} \end{mathparpagebreakable} \ralf{Add these.} Furthermore, we derive some forms that directly involve view shifts and Hoare triples. \begin{mathparpagebreakable} \infer[ht-lift-step] {\mask_2 \subseteq \mask_1 \and \toval(\expr_1) = \bot \and \red(\expr_1, \state_1) \and \All \expr_2, \state_2, \expr_\f. \expr_1,\state_1 \step \expr_2,\state_2,\expr_\f \Ra \pred(\expr_2,\state_2,\expr_\f) \\\\ \prop \vs[\mask_1][\mask_2] \later\ownPhys{\state_1} * \later\prop' \and \All \expr_2, \state_2, \expr_\f. \pred(\expr_2, \state_2, \expr_\f) * \ownPhys{\state_2} * \prop' \vs[\mask_2][\mask_1] \propB_1 * \propB_2 \\\\ \All \expr_2, \state_2, \expr_\f. \hoare{\propB_1}{\expr_2}{\Ret\val.\propC}[\mask_1] \and \All \expr_2, \state_2, \expr_\f. \hoare{\propB_2}{\expr_\f}{\Ret\any. \TRUE}[\top]} { \hoare\prop{\expr_1}{\Ret\val.\propC}[\mask_1] } \infer[ht-lift-atomic-step] {\atomic(\expr_1) \and \red(\expr_1, \state_1) \and \All \expr_2, \state_2, \expr_\f. \expr_1,\state_1 \step \expr_2,\state_2,\expr_\f \Ra \pred(\expr_2,\state_2,\expr_\f) \\\\ \prop \vs[\mask_1][\mask_2] \later\ownPhys{\state_1} * \later\prop' \and \All \expr_2, \state_2, \expr_\f. \hoare{\pred(\expr_2,\state_2,\expr_\f) * \prop}{\expr_\f}{\Ret\any. \TRUE}[\top]} { \hoare{\later\ownPhys{\state_1} * \later\prop}{\expr_1}{\Ret\val.\Exists \state_2, \expr_\f. \ownPhys{\state_2} * \pred(\ofval(\expr_2),\state_2,\expr_\f)}[\mask_1] } \infer[ht-lift-pure-step] {\toval(\expr_1) = \bot \and \All\state_1. \red(\expr_1, \state_1) \and \All \state_1, \expr_2, \state_2, \expr_\f. \expr_1,\state_1 \step \expr_2,\state_2,\expr_\f \Ra \state_1 = \state_2 \land \pred(\expr_2,\expr_\f) \\\\ \All \expr_2, \expr_\f. \hoare{\pred(\expr_2,\expr_\f) * \prop}{\expr_2}{\Ret\val.\propB}[\mask_1] \and \All \expr_2, \expr_\f. \hoare{\pred(\expr_2,\expr_\f) * \prop'}{\expr_\f}{\Ret\any. \TRUE}[\top]} { \hoare{\later(\prop*\prop')}{\expr_1}{\Ret\val.\propB}[\mask_1] } \infer[ht-lift-pure-det-step] {\toval(\expr_1) = \bot \and \All\state_1. \red(\expr_1, \state_1) \and \All \state_1, \expr_2', \state_2, \expr_\f'. \expr_1,\state_1 \step \expr_2,\state_2,\expr_\f \Ra \state_1 = \state_2 \land \expr_2 = \expr_2' \land \expr_\f = \expr_\f' \\\\ \hoare{\prop}{\expr_2}{\Ret\val.\propB}[\mask_1] \and \hoare{\prop'}{\expr_\f}{\Ret\any. \TRUE}[\top]} { \hoare{\later(\prop*\prop')}{\expr_1}{\Ret\val.\propB}[\mask_1] } \end{mathparpagebreakable} \subsection{Global functor and ghost ownership} ... ... @@ -282,6 +337,7 @@ We can now derive the following rules for this derived form of the invariant ass {\knowInv\namesp\prop \proves \propB \vs[\mask] \propC} \end{mathpar} % TODO: These need syncing with Coq % \subsection{STSs with interpretation}\label{sec:stsinterp} % Building on \Sref{sec:stsmon}, after constructing the monoid $\STSMon{\STSS}$ for a particular STS, we can use an invariant to tie an interpretation, $\pred : \STSS \to \Prop$, to the STS's current state, recovering CaReSL-style reasoning~\cite{caresl}. ... ... @@ -382,21 +438,21 @@ We can now derive the following rules for this derived form of the invariant ass % {\later\pred_\bot(a) \vs[\mask] \exists \iname \in \mask, \gname.\; \Auth(M, \pred, \gname, \iname) * \ownGhost{\gname}{\authfrag a : \auth{M}}} % \and % \axiomH{AuthOpen} % {\Auth(M, \pred, \gname, \iname) \vdash \ownGhost{\gname}{\authfrag \melt : \auth{M}} \vsE[\{\iname\}][\emptyset] \exists \melt_f.\; \later\pred_\bot(\melt \mtimes \melt_f) * \ownGhost{\gname}{\authfull \melt \mtimes \melt_f, \authfrag a:\auth{M}}} % {\Auth(M, \pred, \gname, \iname) \vdash \ownGhost{\gname}{\authfrag \melt : \auth{M}} \vsE[\{\iname\}][\emptyset] \exists \melt_\f.\; \later\pred_\bot(\melt \mtimes \melt_\f) * \ownGhost{\gname}{\authfull \melt \mtimes \melt_\f, \authfrag a:\auth{M}}} % \and % \axiomH{AuthClose} % {\Auth(M, \pred, \gname, \iname) \vdash \later\pred_\bot(\meltB \mtimes \melt_f) * \ownGhost{\gname}{\authfull a \mtimes \melt_f, \authfrag a:\auth{M}} \vs[\emptyset][\{\iname\}] \ownGhost{\gname}{\authfrag \meltB : \auth{M}} } % {\Auth(M, \pred, \gname, \iname) \vdash \later\pred_\bot(\meltB \mtimes \melt_\f) * \ownGhost{\gname}{\authfull a \mtimes \melt_\f, \authfrag a:\auth{M}} \vs[\emptyset][\{\iname\}] \ownGhost{\gname}{\authfrag \meltB : \auth{M}} } % \end{mathpar} % These view shifts in turn can be used to prove variants of the invariant rules: % \begin{mathpar} % \inferH{Auth} % {\forall \melt_f.\; \hoare{\later\pred_\bot(a \mtimes \melt_f) * P}{\expr}{\Ret\val. \exists \meltB.\; \later\pred_\bot(\meltB\mtimes \melt_f) * Q}[\mask] % {\forall \melt_\f.\; \hoare{\later\pred_\bot(a \mtimes \melt_\f) * P}{\expr}{\Ret\val. \exists \meltB.\; \later\pred_\bot(\meltB\mtimes \melt_\f) * Q}[\mask] % \and \physatomic{\expr}} % {\Auth(M, \pred, \gname, \iname) \vdash \hoare{\ownGhost{\gname}{\authfrag a:\auth{M}} * P}{\expr}{\Ret\val. \exists \meltB.\; \ownGhost{\gname}{\authfrag \meltB:\auth{M}} * Q}[\mask \uplus \{\iname\}]} % \and % \inferH{VSAuth} % {\forall \melt_f.\; \later\pred_\bot(a \mtimes \melt_f) * P \vs[\mask_1][\mask_2] \exists \meltB.\; \later\pred_\bot(\meltB \mtimes \melt_f) * Q(\meltB)} % {\forall \melt_\f.\; \later\pred_\bot(a \mtimes \melt_\f) * P \vs[\mask_1][\mask_2] \exists \meltB.\; \later\pred_\bot(\meltB \mtimes \melt_\f) * Q(\meltB)} % {\Auth(M, \pred, \gname, \iname) \vdash % \ownGhost{\gname}{\authfrag a:\auth{M}} * P \vs[\mask_1 \uplus \{\iname\}][\mask_2 \uplus \{\iname\}] % \exists \meltB.\; \ownGhost{\gname}{\authfrag \meltB:\auth{M}} * Q(\meltB)} ... ...
 ... ... @@ -86,13 +86,15 @@ \newcommand{\rs}{r} \newcommand{\rsB}{s} \newcommand{\rss}{R} \newcommand{\pres}{\pi} \newcommand{\wld}{w} \newcommand{\ghostRes}{g} %% Various pieces of syntax \newcommand{\wsat}[4]{#1 \models_{#2} #3; #4} \newcommand{\wsat}[3]{#1 \models_{#2} #3} \newcommand{\wsatpre}{\textdom{pre-wsat}} \newcommand{\wtt}[2]{#1 : #2} % well-typed term ... ... @@ -114,6 +116,7 @@ \newcommand{\UPred}{\textdom{UPred}} \newcommand{\mProp}{\textdom{Prop}} % meta-level prop \newcommand{\iProp}{\textdom{iProp}} \newcommand{\iPreProp}{\textdom{iPreProp}} \newcommand{\Wld}{\textdom{Wld}} \newcommand{\Res}{\textdom{Res}} ... ... @@ -121,6 +124,7 @@ \newcommand{\cofeB}{U} \newcommand{\COFEs}{\mathcal{U}} % category of COFEs \newcommand{\iFunc}{\Sigma} \newcommand{\fix}{\textdom{fix}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % CMRA (RESOURCE ALGEBRA) SYMBOLS & NOTATION & IDENTIFIERS ... ... @@ -136,6 +140,8 @@ \newcommand{\melts}{A} \newcommand{\meltsB}{B} \newcommand{\f}{\mathrm{f}} % for "frame" \newcommand{\mcar}[1]{|#1|} \newcommand{\mcarp}[1]{\mcar{#1}^{+}} \newcommand{\munit}{\varepsilon} ... ... @@ -221,7 +227,7 @@ \newcommand*{\knowInv}[2]{\boxedassert{#2}[#1]} \newcommand*{\ownGhost}[2]{\boxedassert[densely dashed]{#2}[#1]} \newcommand*{\ownGGhost}[1]{\boxedassert[densely dashed]{#1}} \newcommand{\ownM}[1]{\textlog{Own}(#1)} \newcommand{\ownPhys}[1]{\textlog{Phy}(#1)} %% View Shifts ... ... @@ -286,7 +292,7 @@ %% Some commonly used identifiers \newcommand{\timeless}[1]{\textlog{timeless}(#1)} \newcommand{\physatomic}[1]{\textlog{$#1$ phys.\ atomic}} \newcommand{\physatomic}[1]{\textlog{atomic}($#1$)} \newcommand{\infinite}{\textlog{infinite}} \newcommand{\Prop}{\textlog{Prop}} ... ... @@ -321,13 +327,14 @@ % Agreement \newcommand{\agm}{\ensuremath{\textmon{Ag}}} \newcommand{\ag}{\textlog{ag}} \newcommand{\aginj}{\textlog{ag}} % Fraction \newcommand{\fracm}{\ensuremath{\textmon{Frac}}} % Exclusive \newcommand{\exm}{\ensuremath{\textmon{Ex}}} \newcommand{\exinj}{\textlog{ex}} % Auth \newcommand{\authm}{\textmon{Auth}} ... ...
 ... ... @@ -33,8 +33,8 @@ \endgroup\clearpage\begingroup \input{logic} \endgroup\clearpage\begingroup %\input{model} %\endgroup\clearpage\begingroup \input{model} \endgroup\clearpage\begingroup \input{derived} \endgroup\clearpage\begingroup \printbibliography ... ...
 ... ... @@ -7,7 +7,7 @@ A \emph{language} $\Lang$ consists of a set \textdom{Expr} of \emph{expressions} \end{mathpar} \item There exists a \emph{primitive reduction relation} $(-,- \step -,-,-) \subseteq \textdom{Expr} \times \textdom{State} \times \textdom{Expr} \times \textdom{State} \times (\textdom{Expr} \uplus \set{\bot})$ We will write $\expr_1, \state_1 \step \expr_2, \state_2$ for $\expr_1, \state_1 \step \expr_2, \state_2, \bot$. \\ A reduction $\expr_1, \state_1 \step \expr_2, \state_2, \expr'$ indicates that, when $\expr_1$ reduces to $\expr$, a \emph{new thread} $\expr'$ is forked off. A reduction $\expr_1, \state_1 \step \expr_2, \state_2, \expr_\f$ indicates that, when $\expr_1$ reduces to $\expr$, a \emph{new thread} $\expr_\f$ is forked off. \item All values are stuck: $\expr, \_ \step \_, \_, \_ \Ra \toval(\expr) = \bot$ \item There is a predicate defining \emph{atomic} expressions satisfying ... ... @@ -16,7 +16,7 @@ A \emph{language} $\Lang$ consists of a set \textdom{Expr} of \emph{expressions} {\All\expr. \atomic(\expr) \Ra \toval(\expr) = \bot} \and {{ \begin{inbox} \All\expr_1, \state_1, \expr_2, \state_2, \expr'. \atomic(\expr_1) \land \expr_1, \state_1 \step \expr_2, \state_2, \expr' \Ra {}\\\qquad\qquad\qquad\quad~~ \Exists \val_2. \toval(\expr_2) = \val_2 \All\expr_1, \state_1, \expr_2, \state_2, \expr_\f. \atomic(\expr_1) \land \expr_1, \state_1 \step \expr_2, \state_2, \expr_\f \Ra {}\\\qquad\qquad\qquad\quad~~ \Exists \val_2. \toval(\expr_2) = \val_2 \end{inbox} }} \end{mathpar} ... ... @@ -26,7 +26,7 @@ It does not matter whether they fork off an arbitrary expression. \begin{defn} An expression $\expr$ and state $\state$ are \emph{reducible} (written $\red(\expr, \state)$) if $\Exists \expr_2, \state_2, \expr'. \expr,\state \step \expr_2,\state_2,\expr'$ $\Exists \expr_2, \state_2, \expr_\f. \expr,\state \step \expr_2,\state_2,\expr_\f$ \end{defn} \begin{defn}[Context] ... ... @@ -35,9 +35,9 @@ It does not matter whether they fork off an arbitrary expression. \item $\lctx$ does not turn non-values into values:\\ $\All\expr. \toval(\expr) = \bot \Ra \toval(\lctx(\expr)) = \bot$ \item One can perform reductions below $\lctx$:\\ $\All \expr_1, \state_1, \expr_2, \state_2, \expr'. \expr_1, \state_1 \step \expr_2,\state_2,\expr' \Ra \lctx(\expr_1), \state_1 \step \lctx(\expr_2),\state_2,\expr'$ $\All \expr_1, \state_1, \expr_2, \state_2, \expr_\f. \expr_1, \state_1 \step \expr_2,\state_2,\expr_\f \Ra \lctx(\expr_1), \state_1 \step \lctx(\expr_2),\state_2,\expr_\f$ \item Reductions stay below $\lctx$ until there is a value in the hole:\\ $\All \expr_1', \state_1, \expr_2, \state_2, \expr'. \toval(\expr_1') = \bot \land \lctx(\expr_1'), \state_1 \step \expr_2,\state_2,\expr' \Ra \Exists\expr_2'. \expr_2 = \lctx(\expr_2') \land \expr_1', \state_1 \step \expr_2',\state_2,\expr'$ $\All \expr_1', \state_1, \expr_2, \state_2, \expr_\f. \toval(\expr_1') = \bot \land \lctx(\expr_1'), \state_1 \step \expr_2,\state_2,\expr_\f \Ra \Exists\expr_2'. \expr_2 = \lctx(\expr_2') \land \expr_1', \state_1 \step \expr_2',\state_2,\expr_\f$ \end{enumerate} \end{defn} ... ... @@ -54,9 +54,9 @@ For any language $\Lang$, we define the corresponding thread-pool semantics. \cfg{\tpool'}{\state'}} \begin{mathpar} \infer {\expr_1, \state_1 \step \expr_2, \state_2, \expr' \and \expr' \neq ()} {\expr_1, \state_1 \step \expr_2, \state_2, \expr_\f \and \expr_\f \neq \bot} {\cfg{\tpool \dplus [\expr_1] \dplus \tpool'}{\state} \step \cfg{\tpool \dplus [\expr_2] \dplus \tpool' \dplus [\expr']}{\state'}} \cfg{\tpool \dplus [\expr_2] \dplus \tpool' \dplus [\expr_\f]}{\state'}} \and\infer {\expr_1, \state_1 \step \expr_2, \state_2} {\cfg{\tpool \dplus [\expr_1] \dplus \tpool'}{\state} \step ... ... @@ -124,7 +124,7 @@ Iris syntax is built up from a signature $\Sig$ and a countably infinite set $\t \prop * \prop \mid \prop \wand \prop \mid \\& \MU \var:\type. \pred \mid \MU \var:\type. \term \mid \Exists \var:\type. \prop \mid \All \var:\type. \prop \mid \\& ... ... @@ -136,7 +136,7 @@ Iris syntax is built up from a signature$\Sig$and a countably infinite set$\t \pvs[\term][\term] \prop\mid \wpre{\term}[\term]{\Ret\var.\term} \end{align*} Recursive predicates must be \emph{guarded}: in $\MU \var. \pred$, the variable $\var$ can only appear under the later $\later$ modality. Recursive predicates must be \emph{guarded}: in $\MU \var. \term$, the variable $\var$ can only appear under the later $\later$ modality. Note that $\always$ and $\later$ bind more tightly than $*$, $\wand$, $\land$, $\lor$, and $\Ra$. We will write $\pvs[\term] \prop$ for $\pvs[\term][\term] \prop$. ... ... @@ -170,8 +170,6 @@ We introduce additional metavariables ranging over terms and generally let the c \] \paragraph{Variable conventions.} We often abuse notation, using the preceding \emph{term} meta-variables to range over (bound) \emph{variables}. We omit type annotations in binders, when the type is clear from context. We assume that, if a term occurs multiple times in a rule, its free variables are exactly those binders which are available at every occurrence. ... ... @@ -538,7 +536,7 @@ This is entirely standard. {\pvs[\mask_1][\mask_2] \pvs[\mask_2][\mask_3] \prop \proves \pvs[\mask_1][\mask_3] \prop} \infer[pvs-mask-frame] {}{\pvs[\mask_1][\mask_2] \prop \proves \pvs[\mask_1 \uplus \mask_f][\mask_2 \uplus \mask_f] \prop} {}{\pvs[\mask_1][\mask_2] \prop \proves \pvs[\mask_1 \uplus \mask_\f][\mask_2 \uplus \mask_\f] \prop} \infer[pvs-frame] {}{\propB * \pvs[\mask_1][\mask_2]\prop \proves \pvs[\mask_1][\mask_2] \propB * \prop} ... ... @@ -596,17 +594,19 @@ This is entirely standard. {\mask_2 \subseteq \mask_1 \and \toval(\expr_1) = \bot \and \red(\expr_1, \state_1) \and \All \expr_2, \state_2, \expr'. \expr_1,\state_1 \step \expr_2,\state_2,\expr' \Ra \pred(\expr_2,\state_2,\expr')} {\pvs[\mask_1][\mask_2] \later\ownPhys{\state_1} * \later\All \expr_2, \state_2, \expr'. \pred(\expr_2, \state_2, \expr') \land \ownPhys{\state_2} \wand \pvs[\mask_2][\mask_1] \wpre{\expr_2}[\mask_1]{\Ret\var.\prop} * \wpre{\expr'}[\top]{\Ret\var.\TRUE} {}\\\proves \wpre{\expr_1}[\mask_1]{\Ret\var.\prop}} \All \expr_2, \state_2, \expr_\f. \expr_1,\state_1 \step \expr_2,\state_2,\expr_\f \Ra \pred(\expr_2,\state_2,\expr_\f)} { {\begin{inbox} % for some crazy reason, LaTeX is actually sensitive to the space between the "{ {" here and the "} }" below... ~~\pvs[\mask_1][\mask_2] \later\ownPhys{\state_1} * \later\All \expr_2, \state_2, \expr_\f. \pred(\expr_2, \state_2, \expr_\f) \land {}\\\qquad\qquad\qquad\qquad\qquad \ownPhys{\state_2} \wand \pvs[\mask_2][\mask_1] \wpre{\expr_2}[\mask_1]{\Ret\var.\prop} * \wpre{\expr_\f}[\top]{\Ret\any.\TRUE} {}\\\proves \wpre{\expr_1}[\mask_1]{\Ret\var.\prop} \end{inbox}} } \infer[wp-lift-pure-step] {\toval(\expr_1) = \bot \and \All \state_1. \red(\expr_1, \state_1) \and \All \state_1, \expr_2, \state_2, \expr'. \expr_1,\state_1 \step \expr_2,\state_2,\expr' \Ra \state_1 = \state_2 \land \pred(\expr_2,\expr')} {\later\All \expr_2, \expr'. \pred(\expr_2, \expr') \wand \wpre{\expr_2}[\mask_1]{\Ret\var.\prop} * \wpre{\expr'}[\top]{\Ret\var.\TRUE} \proves \wpre{\expr_1}[\mask_1]{\Ret\var.\prop}} \All \state_1, \expr_2, \state_2, \expr_\f. \expr_1,\state_1 \step \expr_2,\state_2,\expr_\f \Ra \state_1 = \state_2 \land \pred(\expr_2,\expr_\f)} {\later\All \expr_2, \expr_\f. \pred(\expr_2, \expr_\f) \Ra \wpre{\expr_2}[\mask_1]{\Ret\var.\prop} * \wpre{\expr_\f}[\top]{\Ret\any.\TRUE} \proves \wpre{\expr_1}[\mask_1]{\Ret\var.\prop}} \end{mathpar} Here we define $\wpre{\expr'}[\mask]{\Ret\var.\prop} \eqdef \TRUE$ if $\expr' = \bot$ (remember that our stepping relation can, but does not have to, define a forked-off expression). Here we define $\wpre{\expr_\f}[\mask]{\Ret\var.\prop} \eqdef \TRUE$ if $\expr_\f = \bot$ (remember that our stepping relation can, but does not have to, define a forked-off expression). \subsection{Adequacy} ... ...
This diff is collapsed.
 ... ... @@ -447,7 +447,7 @@ Proof. end; auto with f_equal. Qed. Instance: Inj (=) (=) of_val. Instance of_val_inj : Inj (=) (=) of_val. Proof. by intros ?? Hv; apply (inj Some); rewrite -!to_of_val Hv. Qed. Instance fill_item_inj Ki : Inj (=) (=) (fill_item Ki). ... ...
 ... ... @@ -25,16 +25,18 @@ Lemma wp_alloc_pst E σ e v Φ : ⊢ WP Alloc e @ E {{ Φ }}. Proof. (* TODO RJ: This works around ssreflect bug #22. *) intros. set (φ v' σ' ef := ∃ l, ef = None ∧ v' = LocV l ∧ σ' = <[l:=v]>σ ∧ σ !! l = None). intros. set (φ (e' : expr []) σ' ef := ∃ l, ef = None ∧ e' = Loc l ∧ σ' = <[l:=v]>σ ∧ σ !! l = None). rewrite -(wp_lift_atomic_step (Alloc e) φ σ) // /φ; last by intros; inv_step; eauto 8. last (by intros; inv_step; eauto 8); last (by simpl; eauto). apply sep_mono, later_mono; first done. apply forall_intro=>e2; apply forall_intro=>σ2; apply forall_intro=>ef. apply forall_intro=>v2; apply forall_intro=>σ2; apply forall_intro=>ef. apply wand_intro_l. rewrite always_and_sep_l -assoc -always_and_sep_l. apply const_elim_l=>-[l [-> [-> [-> ?]]]]. by rewrite (forall_elim l) right_id const_equiv // left_id wand_elim_r. apply const_elim_l=>-[l [-> [Hl [-> ?]]]]. rewrite (forall_elim l) right_id const_equiv // left_id wand_elim_r. rewrite -(of_to_val (Loc l) (LocV l)) // in Hl. apply of_val_inj in Hl. by subst. Qed. Lemma wp_load_pst E σ l v Φ : ... ... @@ -42,7 +44,7 @@ Lemma wp_load_pst E σ l v Φ : (▷ ownP σ ★ ▷ (ownP σ -★ Φ v)) ⊢ WP Load (Loc l) @ E {{ Φ }}. Proof. intros. rewrite -(wp_lift_atomic_det_step σ v σ None) ?right_id //; last by intros; inv_step; eauto using to_of_val. last (by intros; inv_step; eauto using to_of_val); simpl; by eauto. Qed. Lemma wp_store_pst E σ l e v v' Φ : ... ... @@ -51,7 +53,7 @@ Lemma wp_store_pst E σ l e v v' Φ : ⊢ WP Store (Loc l) e @ E {{ Φ }}. Proof. intros. rewrite -(wp_lift_atomic_det_step σ (LitV LitUnit) (<[l:=v]>σ) None) ?right_id //; last by intros; inv_step; eauto. ?right_id //; last (by intros; inv_step; eauto); simpl; by eauto. Qed. Lemma wp_cas_fail_pst E σ l e1 v1 e2 v2 v' Φ : ... ... @@ -60,7 +62,8 @@ Lemma wp_cas_fail_pst E σ l e1 v1 e2 v2 v' Φ : ⊢ WP CAS (Loc l) e1 e2 @ E {{ Φ }}. Proof. intros. rewrite -(wp_lift_atomic_det_step σ (LitV $LitBool false) σ None) ?right_id //; last by intros; inv_step; eauto. ?right_id //; last (by intros; inv_step; eauto); simpl; split_and?; by eauto. Qed. Lemma wp_cas_suc_pst E σ l e1 v1 e2 v2 Φ : ... ... @@ -69,7 +72,8 @@ Lemma wp_cas_suc_pst E σ l e1 v1 e2 v2 Φ : ⊢ WP CAS (Loc l) e1 e2 @ E {{ Φ }}. Proof. intros. rewrite -(wp_lift_atomic_det_step σ (LitV$ LitBool true) (<[l:=v2]>σ) None) ?right_id //; last by intros; inv_step; eauto. (<[l:=v2]>σ) None) ?right_id //; last (by intros; inv_step; eauto); simpl; split_and?; by eauto. Qed. (** Base axioms for core primitives of the language: Stateless reductions *) ... ...
 ... ... @@ -23,19 +23,19 @@ Lemma ht_lift_step E1 E2 E2 ⊆ E1 → to_val e1 = None → reducible e1 σ1 → (∀ e2 σ2 ef, prim_step e1 σ1 e2 σ2 ef → φ e2 σ2 ef) → ((P ={E1,E2}=> ▷ ownP σ1 ★ ▷ P') ∧ ∀ e2 σ2 ef, (■ φ e2 σ2 ef ★ ownP σ2 ★ P' ={E2,E1}=> Φ1 e2 σ2 ef ★ Φ2 e2 σ2 ef) ∧ {{ Φ1 e2 σ2 ef }} e2 @ E1 {{ Ψ }} ∧ {{ Φ2 e2 σ2 ef }} ef ?@ ⊤ {{ λ _, True }}) ((P ={E1,E2}=> ▷ ownP σ1 ★ ▷ P') ∧ (∀ e2 σ2 ef, ■ φ e2 σ2 ef ★ ownP σ2 ★ P' ={E2,E1}=> Φ1 e2 σ2 ef ★ Φ2 e2 σ2 ef) ∧ (∀ e2 σ2 ef, {{ Φ1 e2 σ2 ef }} e2 @ E1 {{ Ψ }}) ∧ (∀ e2 σ2 ef, {{ Φ2 e2 σ2 ef }} ef ?@ ⊤ {{ λ _, True }})) ⊢ {{ P }} e1 @ E1 {{ Ψ }}. Proof. intros ?? Hsafe Hstep; apply: always_intro. apply impl_intro_l. rewrite (assoc _ P) {1}/vs always_elim impl_elim_r pvs_always_r. rewrite -(wp_lift_step E1 E2 φ _ e1 σ1) //; apply pvs_mono. rewrite always_and_sep_r -assoc; apply sep_mono_r. rewrite (later_intro (∀ _, _)) -later_sep; apply later_mono. rewrite [(_ ∧ _)%I]later_intro -later_sep; apply later_mono. apply forall_intro=>e2; apply forall_intro=>σ2; apply forall_intro=>ef. rewrite (forall_elim e2) (forall_elim σ2) (forall_elim ef). do 3 rewrite (forall_elim e2) (forall_elim σ2) (forall_elim ef). apply wand_intro_l; rewrite !always_and_sep_l. (* Apply the view shift. *) rewrite (assoc _ _ P') -(assoc _ _ _ P') assoc. ... ... @@ -62,13 +62,14 @@ Proof. (λ e2 σ2 ef, ■ φ e2 σ2 ef ★ P)%I); try by (rewrite /φ'; eauto using atomic_not_val, atomic_step). apply and_intro; [by rewrite -vs_reflexive; apply const_intro|]. apply forall_mono=>e2; apply forall_mono=>σ2; apply forall_mono=>ef. apply and_intro; [|apply and_intro; [|done]]. - rewrite -vs_impl; apply: always_intro. apply impl_intro_l. - apply forall_mono=>e2; apply forall_mono=>σ2; apply forall_mono=>ef. rewrite -vs_impl; apply: always_intro. apply impl_intro_l. rewrite and_elim_l !assoc; apply sep_mono; last done. rewrite -!always_and_sep_l -!always_and_sep_r; apply const_elim_l=>-[??]. by repeat apply and_intro; try apply const_intro. - apply (always_intro _ _), impl_intro_l; rewrite and_elim_l. - apply forall_mono=>e2; apply forall_mono=>σ2; apply forall_mono=>ef. apply (always_intro _ _), impl_intro_l; rewrite and_elim_l. rewrite -always_and_sep_r; apply const_elim_r=>-[[v Hv] ?]. rewrite -(of_to_val e2 v) // -wp_value'; []. rewrite -(exist_intro σ2) -(exist_intro ef) (of_to_val e2) //. ... ... @@ -79,16 +80,15 @@ Lemma ht_lift_pure_step E (φ : expr Λ → option (expr Λ) → Prop) P P' Ψ e to_val e1 = None → (∀ σ1, reducible e1 σ1) → (∀ σ1 e2 σ2 ef, prim_step e1 σ1 e2 σ2 ef → σ1 = σ2 ∧ φ e2 ef) → (∀ e2 ef, {{ ■ φ e2 ef ★ P }} e2 @ E {{ Ψ }} ∧ {{ ■ φ e2 ef ★ P' }} ef ?@ ⊤ {{ λ _, True }}) ((∀ e2 ef, {{ ■ φ e2 ef ★ P }} e2 @ E {{ Ψ }}) ∧ (∀ e2 ef, {{ ■ φ e2 ef ★ P' }} ef ?@ ⊤ {{ λ _, True }})) ⊢ {{ ▷(P ★ P') }} e1 @ E {{ Ψ }}. Proof. intros ? Hsafe Hstep; apply: always_intro. apply impl_intro_l. rewrite -(wp_lift_pure_step E φ _ e1) //. rewrite (later_intro (∀ _, _)) -later_and; apply later_mono. rewrite [(_ ∧ ∀ _, _)%I]later_intro -later_and; apply later_mono. apply forall_intro=>e2; apply forall_intro=>ef; apply impl_intro_l. rewrite (forall_elim e2) (forall_elim ef). do 2 rewrite (forall_elim e2) (forall_elim ef). rewrite always_and_sep_l !always_and_sep_r {1}(always_sep_dup (■ _)). sep_split left: [■ φ _ _; P; {{ ■ φ _ _ ★ P }} e2 @ E {{ Ψ }}]%I. - rewrite assoc {1}/ht -always_wand_impl always_elim wand_elim_r //. ... ... @@ -106,11 +106,13 @@ Lemma ht_lift_pure_det_step Proof. intros ? Hsafe Hdet. rewrite -(ht_lift_pure_step _ (λ e2' ef', e2 = e2' ∧ ef = ef')); eauto. apply forall_intro=>e2'; apply forall_intro=>ef'; apply and_mono. - apply: always_intro. apply impl_intro_l. apply and_mono. - apply forall_intro=>e2'; apply forall_intro=>ef'. apply: always_intro. apply impl_intro_l. rewrite -always_and_sep_l -assoc; apply const_elim_l=>-[??]; subst. by rewrite /ht always_elim impl_elim_r. - destruct ef' as [e'|]; simpl; [|by apply const_intro]. - apply forall_intro=>e2'; apply forall_intro=>ef'. destruct ef' as [e'|]; simpl; [|by apply const_intro]. apply: always_intro. apply impl_intro_l. rewrite -always_and_sep_l -assoc; apply const_elim_l=>-[??]; subst. by rewrite /= /ht always_elim impl_elim_r. ... ...
 ... ... @@ -61,40 +61,42 @@ Qed. Import uPred. Lemma wp_lift_atomic_step {E Φ} e1 (φ : val Λ → state Λ → option (expr Λ) → Prop) σ1 : to_val e1 = None → (φ : expr Λ → state Λ → option (expr Λ) → Prop) σ1 : atomic e1 → reducible e1 σ1 → (∀ e2 σ2 ef, prim_step e1 σ1 e2 σ2 ef → ∃ v2, to_val e2 = Some v2 ∧ φ v2 σ2 ef) → (▷ ownP σ1 ★ ▷ ∀ v2 σ2 ef, ■ φ v2 σ2 ef ∧ ownP σ2 -★ Φ v2 ★ wp_fork ef) prim_step e1 σ1 e2 σ2 ef → φ e2 σ2 ef) → (▷ ownP σ1 ★ ▷ ∀ v2 σ2 ef, ■ φ (of_val v2) σ2 ef ∧ ownP σ2 -★ Φ v2 ★ wp_fork ef) ⊢ WP e1 @ E {{ Φ }}. Proof. intros. rewrite -(wp_lift_step E E (λ e2 σ2 ef, ∃ v2, to_val e2 = Some v2 ∧ φ v2 σ2 ef) _ e1 σ1) //; []. intros. rewrite -(wp_lift_step E E (λ e2 σ2 ef, is_Some (to_val e2) ∧ φ e2 σ2 ef) _ e1 σ1) //; try by (eauto using atomic_not_val, atomic_step). rewrite -pvs_intro. apply sep_mono, later_mono; first done. apply forall_intro=>e2'; apply forall_intro=>σ2'. apply forall_intro=>ef; apply wand_intro_l. rewrite always_and_sep_l -assoc -always_and_sep_l. apply const_elim_l=>-[v2' [Hv ?]] /=. apply const_elim_l=>-[[v2 Hv] ?] /=. rewrite -pvs_intro. rewrite (forall_elim v2') (forall_elim σ2') (forall_elim ef) const_equiv //. by rewrite left_id wand_elim_r -(wp_value _ _ e2' v2'). rewrite (forall_elim v2) (forall_elim σ2') (forall_elim ef) const_equiv //. rewrite left_id wand_elim_r -(wp_value _ _ e2' v2) //. by erewrite of_to_val. Qed. Lemma wp_lift_atomic_det_step {E Φ e1} σ1 v2 σ2 ef : to_val e1 = None → atomic e1 → reducible e1 σ1 → (∀ e2' σ2' ef', prim_step e1 σ1 e2' σ2' ef' → σ2 = σ2' ∧ to_val e2' = Some v2 ∧ ef = ef') → (▷ ownP σ1 ★ ▷ (ownP σ2 -★ Φ v2 ★ wp_fork ef)) ⊢ WP e1 @ E {{ Φ }}. Proof. intros. rewrite -(wp_lift_atomic_step _ (λ v2' σ2' ef', σ2 = σ2' ∧ v2 = v2' ∧ ef = ef') σ1) //; last naive_solver. intros. rewrite -(wp_lift_atomic_step _ (λ e2' σ2' ef', σ2 = σ2' ∧ to_val e2' = Some v2 ∧ ef = ef') σ1) //. apply sep_mono, later_mono; first done. apply forall_intro=>e2'; apply forall_intro=>σ2'; apply forall_intro=>ef'. apply wand_intro_l. rewrite always_and_sep_l -assoc -always_and_sep_l. apply const_elim_l=>-[-> [-> ->]] /=. by rewrite wand_elim_r. rewrite always_and_sep_l -assoc -always_and_sep_l to_of_val. apply const_elim_l=>-[-> [[->] ->]] /=. by rewrite wand_elim_r. Qed. Lemma wp_lift_pure_det_step {E Φ} e1 e2 ef : ... ...
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!